Future wireless embedded devices will be increasingly powerful supporting many more applications ... more Future wireless embedded devices will be increasingly powerful supporting many more applications including one of the most crucial, security. Although many embedded devices offer more resistance to bus probing attacks due to their compact size, susceptibility to power or electromagnetic analysis attacks must be analyzed. This paper presents a table masking countermeasure to resist differential power analysis (DPA) and differential electromagnetic analysis (DEMA). Real power and EM measurements are used to verify the countermeasure using 2 nd and 3 rd order DPA and DEMA attacks on a popular low energy embedded ARM processor. Results show that the new table masking countermeasure provides increased security without large overheads of energy dissipation compared to previous countermeasures. With the emergence of security applications in PDAs, cellphones, and other embedded devices, low energy countermeasures for resistance to DPA/DEMA is crucial for supporting future wireless embedded ...
In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to pre... more In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to previous cryptanalysis methods that attack the mathematically difficult problems cryptographic techniques are based on, SCAs exploit physical properties of implementations in an attempt to compromise systems. Following the introduction of the new cryptanalysis techniques, numerous algorithms have been proposed that reduce or eliminate their effectiveness. Focusing on ECC, the paper proposes numerous SPA and DPA countermeasures relevant to random and Koblitz curve implementations. The countermeasures are described and briefly analyzed, including stating how they are proposed to reduce the effectiveness of the attacks. The implementation and performance of the countermeasures on a specific DSP is described. Furthermore, power traces of implementations of the techniques are examined for SPA attempts, as well as investigating the effectiveness of simulated DPA attacks on the DSP.
Among several countermeasures suggested for thwarting differential analysis are the random orderi... more Among several countermeasures suggested for thwarting differential analysis are the random ordering of operations, insertion of random operations, and random insertion of operations. This paper presents a phase-substitution technique which in combination with subsequent time-domain differential analysis is shown to be able to thwart these three countermeasures in several experiments. Unlike previous techniques for aligning traces, this approach makes use of the phase information. The proposed technique involves: fast fourier transform, phase-substitution, inverse fast fourier transform and time-based differential analysis. Results are demonstrated using electromagnetic traces acquired from a PDA device (representing a complex embedded system including cache misses, operating system events, etc). This research is important for future wireless embedded systems which will increasingly demand higher levels of security.
Differential Analysis of a Low Energy Table-based Countermeasure for Secure Embedded Systems
Future wireless embedded devices will be increasingly powerful supporting many more applications ... more Future wireless embedded devices will be increasingly powerful supporting many more applications including one of the most crucial, security. Although many embedded devices offer more resistance to bus probing attacks due to their compact size, susceptibility to power or electromagnetic analysis attacks must be analyzed. This paper presents a table masking countermeasure to resist differential power analysis (DPA) and differential electromagnetic analysis (DEMA). Real power and EM measurements are used to verify the countermeasure using 2 and 3 order DPA and DEMA attacks on a popular low energy embedded ARM processor. Results show that the new table masking countermeasure provides increased security without large overheads of energy dissipation compared to previous countermeasures. With the emergence of security applications in PDAs, cellphones, and other embedded devices, low energy countermeasures for resistance to DPA/DEMA is crucial for supporting future wireless embedded systems.
Optimized mapping of video applications to hardware-software for VLSI architectures
Proceedings of the Twenty-Eighth Annual Hawaii International Conference on System Sciences, 1995
This research presents for the first time an integer optimization approach for scheduling video c... more This research presents for the first time an integer optimization approach for scheduling video computations on bus-constrained VLSI architectures or on an existing VLIW processor. For many video systems a combination of processor and VLSI chip provides a low cost solution that meets given performance requirements. Thus tools for analyzing whether a video function is best implemented in hardware (VLSI) or in software (on a VLIW processor) are valuable. An optimization approach is presented which can efficiently map video computations to hardware or software. The technique maps fast (I)DCT-II applications to an existing VLIW video signal processor chip. Our research shows that the optimized mapping to VLSI architectures provides up to 66% fewer busses than previous research. This research is important for industry since the partitioning of applications into software or hardware has a significant impact on the overall cost and performance of video processing systems.<<ETX>>
On the specification of symmetric key management parameters for secure space missions
2012 IEEE First AESS European Conference on Satellite Telecommunications (ESTEL), 2012
Although the vast majority of space communications are in-the-clear, security is an emerging tren... more Although the vast majority of space communications are in-the-clear, security is an emerging trend in spacecraft missions. However, key management in space has received limited attention. This work provides an approach to symmetric key management with justification of parameters. Unlike previous approaches, quantitative analysis and models are proposed. Specifically, key hierarchy, key roles, key lengths and corresponding crypto periods are specified, based upon models of known attacks, and computing power. These results are crucial in order to support future secure space missions and cryptographic modules onboard spacecrafts.
Current flattening in software and hardware for security applications
International Conference on Hardware Software Codesign, 2004
This paper presents a new current flattening technique applicable in software and hardware. This ... more This paper presents a new current flattening technique applicable in software and hardware. This technique is important in embedded cryptosystems since power analysis attacks (that make use of the current variation dependency on data and program) compromise the security of the system. The technique flattens the current internally by exploiting current consumption differences at the instruction level. Code transformations supporting
A SEU-resistant, FPGA-based implementation of the substitution transformation in AES for security on satellites
Designing single event upset (SEU)-resistant security for communications in satellites is an impo... more Designing single event upset (SEU)-resistant security for communications in satellites is an important yet challenging problem. For example, although SRAM-based FPGAs are beneficial for satellite applications, they are susceptible to SEUs. Harsh environments such as space where cosmic radiation is present increase the likelihood of these errors known as SEUs. However these errors are also expected to be prevalent in non-space applications of future nanometer technologies. Thus this is an important problem to be studied for future secure embedded systems. Satellites require an encryption mechanism for many purposes; for example, to provide secure communications with the ground station. A SEU detection technique for a symmetric encryption algorithm, such as the NIST standardized Advanced Encryption Standard (AES), is additionally challenging due to its complex non-linear task in the algorithm, namely the substitution transformation (sub_byte). This research presents an efficient solut...
A global optimization approach to high level synthesis of VLSI multichip architectures is present... more A global optimization approach to high level synthesis of VLSI multichip architectures is presented. Optimal application-specific architectures are synthesized to minimize latency given constraints on chip area, I/O pin count and interchip communication delays. A mathematical integer programming (IP) model for simultaneously partitioning, scheduling, and allocating hardware (functional units, I/O pins, and interchip buses) is formulated. By exploiting the problem structure (using polyhedral theory), the size of the search space is decreased and a new variable selection strategy is introduced based on the branch and bound algorithm. Multichip optimal architectures for several examples are synthesized in practical CPU times. Execution times are comparable to those for previous heuristic approaches. There are, however, significant improvements in optimal schedules and allocations of multichips
SEU-resistant SHA-256 design for security in satellites
Signal Processing for Space …, 2008
Page 1. SEU-Resistant SHA-256 Design for Security in Satellites Marcio Juliato and Catherine Gebo... more Page 1. SEU-Resistant SHA-256 Design for Security in Satellites Marcio Juliato and Catherine Gebotys Dept. ... This re-search proposes and analyzes various architectures for SHA-256 hash function which are of utmost importance to ensure secure communications. ...
This paper presents a comparison of statisticallyderived power prediction models at the algorithm... more This paper presents a comparison of statisticallyderived power prediction models at the algorithmic, instruction, and architectural levels for embedded high performance DSP processors. The approach is general enough to be applied to any embedded DSP processor. Results from 168 power measurements of DSP code show that power can be predicted at instruction and architecture levels with less than 2% error. This result is important for developing a general methodology for power characterization of embedded DSP software since low power is critical to complex DSP applications in many cost sensitive markets.
Multiple heterogeneous processor cores, memory cores and application specific IP cores integrated... more Multiple heterogeneous processor cores, memory cores and application specific IP cores integrated in a communication network, also known as Networks on chips (NoCs), will handle a large number of applications including security. Although NoCs offer more resistance to bus probing attacks, power/EM attacks and network snooping attacks are relevant. For the first time a framework for security on NoC at both the network level (or transport layer) and at the core level (or application layer) is proposed. At the network level, each IP core has a security wrapper and a key-keeper core is included in the NoC protecting encrypted private and public keys. Using this framework, unencrypted keys are prevented from leaving the cores and NoC. This is crucial to prevent untrusted software on or off the NoC from gaining access to keys. At the core level (application layer) the security framework is illustrated with software modification for resistance against power attacks with extremely low overheads in energy. With the emergence of secure IP cores in the market and nanometer technologies, a security framework for designing NoCs is crucial for supporting future wireless internet enabled devices.
IEE Proceedings - Computers and Digital Techniques
A methodology and a macro-modelling approach are presented for analysing low-level current dynami... more A methodology and a macro-modelling approach are presented for analysing low-level current dynamics at the instruction and program level for a complex VLIW DSP processor core. An instruction-level macro-model, whose input parameters can be extracted from the DSP core's assembly level program, is introduced for power modelling. For the first time, dynamic power models of algorithms are introduced and verified with real power measurements of a DSP processor core in a VLSI chip. Results from both cryptographic and bubble sort applications show that dynamic power can be modelled with an average error in energy estimation ranging from 0.3% to 9.7%. The instruction-level macro-model of power also supports different clock frequencies and compressed algorithmic traces, important for security aware compilers. In general, the research is important for analysing and modelling the impact of software on power, the design of embedded cryptographic VLSI systems that are safe from power attacks, and for reliable design by detecting the peak current values generated by the software application.
In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to pre... more In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to previous cryptanalysis methods that attack the mathematically difficult problems cryptographic techniques are based on, SCAs exploit physical properties of implementations in an attempt to compromise systems. Following the introduction of the new cryptanalysis techniques, numerous algorithms have been proposed that reduce or eliminate their effectiveness. Focusing on
Optimal design of cathodic protection schemes: a power engineering applications
Proceedings of Canadian Conference on Electrical and Computer Engineering, 1993
Exposure of the elements of power systems to the harshest of environments promotes premature agin... more Exposure of the elements of power systems to the harshest of environments promotes premature aging. In applications where metal comes in direct contact with electrolytic substances, deradiation occurs rapidly and with grave consequences. Underground and submarine schemes are most susceptible to corrosion due to the nature of the surrounding mediums. As periodic inspections and routine maintenance are not possible where the elements are immersed in a medium such as water, earth or concrete, an effective cathodic protection system is essential. While current design procedures provide a sufficient defence against corrosion, the protection schemes are not necessarily cost efficient. A new technique is presented in this paper for minimizing the cost of sacrificial anode beds used in pipe-type cable projects. The proposed method minimises a nonlinear problem to permit the design of a sacrificial anode bed which satisfies all project design requirements at a minimal cost. Anode bed designs based upon the proposed method are considerably less expensive then those built using traditional heuristic techniques
This paper presents for the frst time an optimization approach to synthesizing DSP-specific multi... more This paper presents for the frst time an optimization approach to synthesizing DSP-specific multichip architectures which maximize throughput. A new integer programming (IP) model is presented that supports simultaneous scheduling, allocation, partitioning, and maximization of throughput. The IP model is used to map a DSP application to a high speed multichip applicationspecific architecture. The same model supports a communication delay whenever data is transferred off of one chip and onto the other chip. This research breaks new ground by 1) simultaneously partitioning, scheduling, allocating, and maximizing throughput in practical CPU times, 2) guaranteeing optimal multichip architectures which maximize throughput, minimize area or minimize latency, 3) supporting interchip communication delay, and 4) providing Industry with a DA tool for optimal mapping of DSP applications to high performance multichip architectures that can readily take advantage of emerging programmable VLSI technologies.
Recently, the new Multibase Non-Adjacent Form (mbNAF) method was introduced and shown to speed up... more Recently, the new Multibase Non-Adjacent Form (mbNAF) method was introduced and shown to speed up the execution of the scalar multiplication with an efficient use of multiple bases to represent the scalar. In this work, we first optimize the previous method using fractional windows, and then introduce further improvements to achieve additional cost reductions. Moreover, we present new improvements in the point operation formulae. Specifically, we reduce further the cost of composite operations such as quintupling and septupling of a point, which are relevant for the speed up of multibase methods in general. Remarkably, our tests show that, in the case of standard elliptic curves, the refined mbNAF method can be as efficient as Window-w NAF using an optimal fractional window size. Thus, this is the first published method that does not require precomputations to achieve comparable efficiency to the standard window-based NAF method using precomputations. On other highly efficient curves as Jacobi quartics and Edwards curves, our tests show that the refined mbNAF currently attains the highest performance for both scenarios using precomputations and those without precomputations.
We present an innovative technique to add elliptic curve points with the form P Q ± , and discuss... more We present an innovative technique to add elliptic curve points with the form P Q ± , and discuss its application to the generation of precomputed tables for the scalar multiplication. Our analysis shows that the proposed schemes offer, to the best of our knowledge, the lowest costs for precomputing points on both single and multiple scalar multiplication and for various elliptic curve forms, including the highly efficient Jacobi quartics and Edwards curves.
Future wireless embedded devices will be increasingly powerful supporting many more applications ... more Future wireless embedded devices will be increasingly powerful supporting many more applications including one of the most crucial, security. Although many embedded devices offer more resistance to bus probing attacks due to their compact size, susceptibility to power or electromagnetic analysis attacks must be analyzed. This paper presents a table masking countermeasure to resist differential power analysis (DPA) and differential electromagnetic analysis (DEMA). Real power and EM measurements are used to verify the countermeasure using 2 nd and 3 rd order DPA and DEMA attacks on a popular low energy embedded ARM processor. Results show that the new table masking countermeasure provides increased security without large overheads of energy dissipation compared to previous countermeasures. With the emergence of security applications in PDAs, cellphones, and other embedded devices, low energy countermeasures for resistance to DPA/DEMA is crucial for supporting future wireless embedded ...
In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to pre... more In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to previous cryptanalysis methods that attack the mathematically difficult problems cryptographic techniques are based on, SCAs exploit physical properties of implementations in an attempt to compromise systems. Following the introduction of the new cryptanalysis techniques, numerous algorithms have been proposed that reduce or eliminate their effectiveness. Focusing on ECC, the paper proposes numerous SPA and DPA countermeasures relevant to random and Koblitz curve implementations. The countermeasures are described and briefly analyzed, including stating how they are proposed to reduce the effectiveness of the attacks. The implementation and performance of the countermeasures on a specific DSP is described. Furthermore, power traces of implementations of the techniques are examined for SPA attempts, as well as investigating the effectiveness of simulated DPA attacks on the DSP.
Among several countermeasures suggested for thwarting differential analysis are the random orderi... more Among several countermeasures suggested for thwarting differential analysis are the random ordering of operations, insertion of random operations, and random insertion of operations. This paper presents a phase-substitution technique which in combination with subsequent time-domain differential analysis is shown to be able to thwart these three countermeasures in several experiments. Unlike previous techniques for aligning traces, this approach makes use of the phase information. The proposed technique involves: fast fourier transform, phase-substitution, inverse fast fourier transform and time-based differential analysis. Results are demonstrated using electromagnetic traces acquired from a PDA device (representing a complex embedded system including cache misses, operating system events, etc). This research is important for future wireless embedded systems which will increasingly demand higher levels of security.
Differential Analysis of a Low Energy Table-based Countermeasure for Secure Embedded Systems
Future wireless embedded devices will be increasingly powerful supporting many more applications ... more Future wireless embedded devices will be increasingly powerful supporting many more applications including one of the most crucial, security. Although many embedded devices offer more resistance to bus probing attacks due to their compact size, susceptibility to power or electromagnetic analysis attacks must be analyzed. This paper presents a table masking countermeasure to resist differential power analysis (DPA) and differential electromagnetic analysis (DEMA). Real power and EM measurements are used to verify the countermeasure using 2 and 3 order DPA and DEMA attacks on a popular low energy embedded ARM processor. Results show that the new table masking countermeasure provides increased security without large overheads of energy dissipation compared to previous countermeasures. With the emergence of security applications in PDAs, cellphones, and other embedded devices, low energy countermeasures for resistance to DPA/DEMA is crucial for supporting future wireless embedded systems.
Optimized mapping of video applications to hardware-software for VLSI architectures
Proceedings of the Twenty-Eighth Annual Hawaii International Conference on System Sciences, 1995
This research presents for the first time an integer optimization approach for scheduling video c... more This research presents for the first time an integer optimization approach for scheduling video computations on bus-constrained VLSI architectures or on an existing VLIW processor. For many video systems a combination of processor and VLSI chip provides a low cost solution that meets given performance requirements. Thus tools for analyzing whether a video function is best implemented in hardware (VLSI) or in software (on a VLIW processor) are valuable. An optimization approach is presented which can efficiently map video computations to hardware or software. The technique maps fast (I)DCT-II applications to an existing VLIW video signal processor chip. Our research shows that the optimized mapping to VLSI architectures provides up to 66% fewer busses than previous research. This research is important for industry since the partitioning of applications into software or hardware has a significant impact on the overall cost and performance of video processing systems.<<ETX>>
On the specification of symmetric key management parameters for secure space missions
2012 IEEE First AESS European Conference on Satellite Telecommunications (ESTEL), 2012
Although the vast majority of space communications are in-the-clear, security is an emerging tren... more Although the vast majority of space communications are in-the-clear, security is an emerging trend in spacecraft missions. However, key management in space has received limited attention. This work provides an approach to symmetric key management with justification of parameters. Unlike previous approaches, quantitative analysis and models are proposed. Specifically, key hierarchy, key roles, key lengths and corresponding crypto periods are specified, based upon models of known attacks, and computing power. These results are crucial in order to support future secure space missions and cryptographic modules onboard spacecrafts.
Current flattening in software and hardware for security applications
International Conference on Hardware Software Codesign, 2004
This paper presents a new current flattening technique applicable in software and hardware. This ... more This paper presents a new current flattening technique applicable in software and hardware. This technique is important in embedded cryptosystems since power analysis attacks (that make use of the current variation dependency on data and program) compromise the security of the system. The technique flattens the current internally by exploiting current consumption differences at the instruction level. Code transformations supporting
A SEU-resistant, FPGA-based implementation of the substitution transformation in AES for security on satellites
Designing single event upset (SEU)-resistant security for communications in satellites is an impo... more Designing single event upset (SEU)-resistant security for communications in satellites is an important yet challenging problem. For example, although SRAM-based FPGAs are beneficial for satellite applications, they are susceptible to SEUs. Harsh environments such as space where cosmic radiation is present increase the likelihood of these errors known as SEUs. However these errors are also expected to be prevalent in non-space applications of future nanometer technologies. Thus this is an important problem to be studied for future secure embedded systems. Satellites require an encryption mechanism for many purposes; for example, to provide secure communications with the ground station. A SEU detection technique for a symmetric encryption algorithm, such as the NIST standardized Advanced Encryption Standard (AES), is additionally challenging due to its complex non-linear task in the algorithm, namely the substitution transformation (sub_byte). This research presents an efficient solut...
A global optimization approach to high level synthesis of VLSI multichip architectures is present... more A global optimization approach to high level synthesis of VLSI multichip architectures is presented. Optimal application-specific architectures are synthesized to minimize latency given constraints on chip area, I/O pin count and interchip communication delays. A mathematical integer programming (IP) model for simultaneously partitioning, scheduling, and allocating hardware (functional units, I/O pins, and interchip buses) is formulated. By exploiting the problem structure (using polyhedral theory), the size of the search space is decreased and a new variable selection strategy is introduced based on the branch and bound algorithm. Multichip optimal architectures for several examples are synthesized in practical CPU times. Execution times are comparable to those for previous heuristic approaches. There are, however, significant improvements in optimal schedules and allocations of multichips
SEU-resistant SHA-256 design for security in satellites
Signal Processing for Space …, 2008
Page 1. SEU-Resistant SHA-256 Design for Security in Satellites Marcio Juliato and Catherine Gebo... more Page 1. SEU-Resistant SHA-256 Design for Security in Satellites Marcio Juliato and Catherine Gebotys Dept. ... This re-search proposes and analyzes various architectures for SHA-256 hash function which are of utmost importance to ensure secure communications. ...
This paper presents a comparison of statisticallyderived power prediction models at the algorithm... more This paper presents a comparison of statisticallyderived power prediction models at the algorithmic, instruction, and architectural levels for embedded high performance DSP processors. The approach is general enough to be applied to any embedded DSP processor. Results from 168 power measurements of DSP code show that power can be predicted at instruction and architecture levels with less than 2% error. This result is important for developing a general methodology for power characterization of embedded DSP software since low power is critical to complex DSP applications in many cost sensitive markets.
Multiple heterogeneous processor cores, memory cores and application specific IP cores integrated... more Multiple heterogeneous processor cores, memory cores and application specific IP cores integrated in a communication network, also known as Networks on chips (NoCs), will handle a large number of applications including security. Although NoCs offer more resistance to bus probing attacks, power/EM attacks and network snooping attacks are relevant. For the first time a framework for security on NoC at both the network level (or transport layer) and at the core level (or application layer) is proposed. At the network level, each IP core has a security wrapper and a key-keeper core is included in the NoC protecting encrypted private and public keys. Using this framework, unencrypted keys are prevented from leaving the cores and NoC. This is crucial to prevent untrusted software on or off the NoC from gaining access to keys. At the core level (application layer) the security framework is illustrated with software modification for resistance against power attacks with extremely low overheads in energy. With the emergence of secure IP cores in the market and nanometer technologies, a security framework for designing NoCs is crucial for supporting future wireless internet enabled devices.
IEE Proceedings - Computers and Digital Techniques
A methodology and a macro-modelling approach are presented for analysing low-level current dynami... more A methodology and a macro-modelling approach are presented for analysing low-level current dynamics at the instruction and program level for a complex VLIW DSP processor core. An instruction-level macro-model, whose input parameters can be extracted from the DSP core's assembly level program, is introduced for power modelling. For the first time, dynamic power models of algorithms are introduced and verified with real power measurements of a DSP processor core in a VLSI chip. Results from both cryptographic and bubble sort applications show that dynamic power can be modelled with an average error in energy estimation ranging from 0.3% to 9.7%. The instruction-level macro-model of power also supports different clock frequencies and compressed algorithmic traces, important for security aware compilers. In general, the research is important for analysing and modelling the impact of software on power, the design of embedded cryptographic VLSI systems that are safe from power attacks, and for reliable design by detecting the peak current values generated by the software application.
In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to pre... more In recent years, Kocher introduced SCA techniques to the cryptographic community. Contrary to previous cryptanalysis methods that attack the mathematically difficult problems cryptographic techniques are based on, SCAs exploit physical properties of implementations in an attempt to compromise systems. Following the introduction of the new cryptanalysis techniques, numerous algorithms have been proposed that reduce or eliminate their effectiveness. Focusing on
Optimal design of cathodic protection schemes: a power engineering applications
Proceedings of Canadian Conference on Electrical and Computer Engineering, 1993
Exposure of the elements of power systems to the harshest of environments promotes premature agin... more Exposure of the elements of power systems to the harshest of environments promotes premature aging. In applications where metal comes in direct contact with electrolytic substances, deradiation occurs rapidly and with grave consequences. Underground and submarine schemes are most susceptible to corrosion due to the nature of the surrounding mediums. As periodic inspections and routine maintenance are not possible where the elements are immersed in a medium such as water, earth or concrete, an effective cathodic protection system is essential. While current design procedures provide a sufficient defence against corrosion, the protection schemes are not necessarily cost efficient. A new technique is presented in this paper for minimizing the cost of sacrificial anode beds used in pipe-type cable projects. The proposed method minimises a nonlinear problem to permit the design of a sacrificial anode bed which satisfies all project design requirements at a minimal cost. Anode bed designs based upon the proposed method are considerably less expensive then those built using traditional heuristic techniques
This paper presents for the frst time an optimization approach to synthesizing DSP-specific multi... more This paper presents for the frst time an optimization approach to synthesizing DSP-specific multichip architectures which maximize throughput. A new integer programming (IP) model is presented that supports simultaneous scheduling, allocation, partitioning, and maximization of throughput. The IP model is used to map a DSP application to a high speed multichip applicationspecific architecture. The same model supports a communication delay whenever data is transferred off of one chip and onto the other chip. This research breaks new ground by 1) simultaneously partitioning, scheduling, allocating, and maximizing throughput in practical CPU times, 2) guaranteeing optimal multichip architectures which maximize throughput, minimize area or minimize latency, 3) supporting interchip communication delay, and 4) providing Industry with a DA tool for optimal mapping of DSP applications to high performance multichip architectures that can readily take advantage of emerging programmable VLSI technologies.
Recently, the new Multibase Non-Adjacent Form (mbNAF) method was introduced and shown to speed up... more Recently, the new Multibase Non-Adjacent Form (mbNAF) method was introduced and shown to speed up the execution of the scalar multiplication with an efficient use of multiple bases to represent the scalar. In this work, we first optimize the previous method using fractional windows, and then introduce further improvements to achieve additional cost reductions. Moreover, we present new improvements in the point operation formulae. Specifically, we reduce further the cost of composite operations such as quintupling and septupling of a point, which are relevant for the speed up of multibase methods in general. Remarkably, our tests show that, in the case of standard elliptic curves, the refined mbNAF method can be as efficient as Window-w NAF using an optimal fractional window size. Thus, this is the first published method that does not require precomputations to achieve comparable efficiency to the standard window-based NAF method using precomputations. On other highly efficient curves as Jacobi quartics and Edwards curves, our tests show that the refined mbNAF currently attains the highest performance for both scenarios using precomputations and those without precomputations.
We present an innovative technique to add elliptic curve points with the form P Q ± , and discuss... more We present an innovative technique to add elliptic curve points with the form P Q ± , and discuss its application to the generation of precomputed tables for the scalar multiplication. Our analysis shows that the proposed schemes offer, to the best of our knowledge, the lowest costs for precomputing points on both single and multiple scalar multiplication and for various elliptic curve forms, including the highly efficient Jacobi quartics and Edwards curves.
Uploads
Papers by C Gebotys